Another cloud-based data repository, this one belonging to Alteryx, has publicly exposed datasets from the data analytics firm's partner Experian and the US Census Bureau that contain sensitive personal information on 123 million Americans.
In what has become an alarmingly regular occurrence, UpGuard disclosed its director of cyber risk research Chris Vickery had found the unsecured Amazon Web Services (AWS) S3 cloud storage bucket that allowed access to AWS Authenticated Users, “in practical terms…'any user that has an Amazon AWS account,' a base that already numbers over a million users,” according to a company blog post.
The sensitive information in the datasets included home addresses, contact information, purchasing behaviour, mortgage ownerships and financial histories, which UpGuard said “constitutes a remarkably invasive glimpse into the lives of American consumers.”
Calling the AWS misconfiguration leaks one of the largest yet seen and avoidable, Rich Campagna, CEO of Bitglass, said, “Cloud app misconfigurations continue to pose a major threat to data security and clearly calls for all organisations to reevaluate their security posture and processes.”
Indeed, “2017 headlines have been chockfull of outrageous – and frankly 100 percent avoidable – data breaches as a result of simple misconfigurations,” said Zohar Alon, cofounder and CEO of Dome9. “In an age where organisations are running their entire infrastructure in the cloud, or developing business-critical applications in containers, we're stuck discussing the implications of not changing the default settings on third-party software week after week.”
Rich with data S3 buckets are a tasty target for attackers.
"This amount of personal information can be a goldmine for hackers using these digital bread crumbs to piece together the life of their target," said Adam Levin, chairman and founder of Cybersout and author of Swiped. "Consumers could be exposed to a host of identity theft schemes including financial, criminal, medical and tax related."
JASK director of security research, Rod Soto noted “there's a good chance data is the wrong hands. Malicious actors are using many different tools to discover such buckets, or they are finding information in other sources such as github or by performing other attacks that may get hints or direct clues of the use of AWS buckets.”
The latest leak also underscores the importance of locking down third-party security. “This case highlights that third-party vendor relationships are a growing cybersecurity risk. Data from three different organisations - Alteryx, Experian, and the US Census Bureau was revealed,” said Varun Badhwar, CEO and co-founder of RedLock. “More companies should demand security audits of their partners, suppliers, and service providers, and implement tools such as continuous cloud infrastructure monitoring to identify misconfigurations and irregularities before they expose consumer and enterprise data.
An organisation's security, stressed Badhwar, is only as good as its partner's security. It's time to look at security and compliance through this holistic lens.”
JASK director of security research Rod Soto said “there's a good chance data is the wrong hands. Malicious actors are using many different tools to discover such buckets, or they are finding information in other sources such as github or by performing other attacks that may get hints or direct clues of the use of AWS buckets.”